Microsoft Domain Controllers Syslog Configuration - 5thColumn/Revolver-wiki-archive GitHub Wiki
- Log into your domain controller(s) as a user with administrative rights.
- Download and install NXLog Community Edition from https://nxlog.co/system/files/products/files/348/nxlog-ce-2.11.2190.msi.
- Open Notepad as an administrator.
- Click the Windows menu icon at the bottom left of the screen.
- Find the Notepad application or simply search for it.
- Right click on Notepad and click on “Run as administrator”.
- Click File → Open, and in the dropdown to the right of the file name box select “All Files”.
- Open the file C:\Program Files (x86)\nxlog\conf\nxlog.conf.
- Navigate to the end of the file, and add the following (making sure to replace the REVOLVER_IP and SYSLOG_PORT placeholders with the correct values:
<Input eventlog>
Module im_msvistalog
Exec $LogTag ='MSWinEventLog';
Query \
<QueryList>\
<Query Id='0'><Select Path='Application'>*</Select></Query>\
<Query Id='1'><Select Path='Security'>*</Select></Query>\
</QueryList>
</Input>
<Output revolver_udp>
Module om_udp
Host REVOLVER_IP
Port SYSLOG_PORT
Exec to_syslog_ietf();
</Output>
<Route eventlog_to_revolver_udp>
Path eventlog => revolver_udp
</Route>
- Also make sure the following extensions are declared somewhere in the file:
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
- Click File → Save.
- Find or search for the Services application from the Windows menu and open it.
- Finally, scroll down and find the nxlog service. Right click on it and click Start.